The success of any online enterprise is very much dependent on the stability and security of its computer networks. For an online enterprise, a network outage may be embarrassing, but more importantly, it can be potentially very costly. Consequently, online enterprises spend hundreds of thousands of dollars on protecting their networks from the wide variety of intrusive network activities that can temporarily slow down, or even take down, a computer network.
Online enterprises utilize a wide variety of protective measures to prevent unauthorized and unwanted network activities on their computer networks. For example, on the least sophisticated end of the scale is the ubiquitous username and password protection scheme. While password protection schemes are effective to a certain degree in protecting select computer resources from unauthorized access, password protection schemes are useless against other unwanted network activities, such as a denial of service (DoS) attack.
A far more sophisticated and effective protective measure that is almost universally utilized by online enterprises is a firewall system. However, a addition, firewalls are generally not effective against network attacks that originate locally, on the protected side of the firewall. Furthermore, firewalls sometimes fail. Therefore, many online enterprises go a step further and utilize network sensor devices, commonly referred to as network intrusion detection systems (IDSs), to detect and prevent network attacks.
FIG. 1 illustrates an example of a simple network environment 10 including an online enterprise 12 with a single server 14 protected by a network IDS 16. As illustrated in FIG. 1, the server 14 is connected to the Internet 18 via a firewall 20 and a switching device 22. The network IDS 16 is connected to a special port (e.g., a monitoring port) on the switching device 22 that mirrors all incoming and outgoing traffic to any device connected to the port, thereby making it possible for the network IDS 16 to receive and analyze all network traffic (e.g., data packets) that are communicated between any one of the computer devices 24, 26, 28 and the server 14. By analyzing all incoming and outgoing network traffic, the network IDS 16 is able to detect network attacks. Unfortunately, it is extremely uncommon for an online enterprise to have a network as simple as that presented in FIG. 1.
FIG. 2 illustrates an example of a network environment 30 including an online enterprise 32 having a slightly more complex network structure than that of FIG. 1. The online enterprise 32 illustrated in FIG. 2 includes four different server groups, each server group representing a different network segment. Each network segment is connected to the Internet 18 via one or more routers or switching devices, represented in FIG. 2 by the block figure with reference number 34. The switching devices 34 may include a load balancing device that services requests received via the Internet 18 from computer devices 24, 26 and/or 28. For example, when the load balancing device receives a request for a service or resource provided by server group 1, the load balancing device may intelligently forward the request to the server in server group 1 that is most capable of servicing the request.
Implementing a network IDS to detect network attacks for the network structure of the online enterprise 32 illustrated in FIG. 2 presents a variety of challenges. First, the amount of network traffic that flows to and from each of the server groups may be prohibitively voluminous for the use of a single IDS device. For example, a single IDS may not be able to properly process all of the incoming data packets if the rate at which the packets are received outpaces the rate at which the packets are processed. Lost or dropped data packets may result in the inability to detect a network attack. Additionally, even if a single IDS could handle the network traffic flow, there is not a single connection point in the network where the IDS might reside to capture all of the data that flows between each of the four server groups. For example, each of the server groups illustrated in FIG. 2 may be located in a different geographical location, making it difficult to monitor traffic flow from a centralized location. Finally, if an IDS attached to any single network segment were to fail, there would be no quick and easy way to re-route the traffic to a backup IDS device.